PRESS BRIEFING BY CHIEF OF STAFF JOHN PODESTA, SECRETARY OF
COMMERCE BILL DALEY, JAMES MADISON UNIVERSITY PRESIDENT LINWOOD
ROSE AND NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE
PROTECTION AND
COUNTER-TERRORISM DICK CLARKE

10:25 A.M. EST

THE WHITE HOUSE

Office thess Press Secretary

For Immediate Release

January 7, 2000

PRESS BRIEFING

BY

CHIEF OF STAFF JOHN PODESTA,

SECRETARY OF COMMERCE BILL DALEY,

JAMES MADISON UNIVERSITY PRESIDENT LINWOOD ROSE

AND

NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION

AND COUNTER-TERRORISM DICK CLARKE

10:25 A.M. EST

MR. LEAVY: Good morning, everybody. As you know, the President
announced his cyber-security plan this morning, and to answer your
questions and talk a little bit more about that with the Chief of
Staff, John Podesta, Secretary of Commerce, Bill Daley, President
Linwood Rose of James Madison University, and joining in the
questions will be Dick Clarke, the President's counterterrorims
czar.

Mr. Podesta.

MR. PODESTA: This is the first time I've appeared with a czar,
so excuse me if I'm a little bit nervous. (Laughter.)

The President made his announcement this morning, but I would
just note at the outset that, again, this morning we had a
continuing evidence of a robust economy. This year, we had, in
calendar year 1999, we're looking at an unemployment for the year
that's the lowest since 1969, the lowest Hispanic and African
American unemployment rates on record.

The economy continues to perform outstandingly. And part of the
reason for that is that is the fact that we have a new economy, an
economy that's built on information, technology information,
infrastructure. It's really beginning to move into all aspects of
our economy and the way we handle goods and services.

And just as in the 1950s when we were building an economy based
on a new transportation system, a new interstate highway system
and we put guardrails on that transportation system, we're here
today to talk about how we can better protect the information
technology and infrastructure of the information technology
economy -- not only for the government, but for the private
sector, as well. And that's why I'm pleased to be joined by
Secretary Daley and President Linwood Rose from James Madison;
and, as Dave said, Dick Clarke will join us for questions.

The President made the announcement this morning. We have made
substantial boosts in the amount of money that the government is
spending on this effort to protect our critical infrastructure,
and this year's budget will be no exception. We are going to
request a 17 percent increase in funding over the FY 2000 budget,
and the proposed spending will be across the government. We will
be seeking an increase of approximately $2 billion, from $1.7
billion, with increases in every agency and every sector.

One of the greatest boosts, I think, will be -- and Secretary
Daley will speak about this -- will be in the area of research and
development. The R&D now represents 32 percent of our critical
infrastructure protection. It's really important that we do that,
that we produce, in partnership with the private sector and in
partnership with the information technology companies who are at
the forefront of this revolution, on new technologies that can be
rapidly put into the information infrastructure to begin to
provide the kinds of protections that we're here to talk
about.

So the overall increase in the R&D and R&E portion that
we're going to speak to as part of the President's overall
commitment to increases in research and development which, again,
we'll lay out a future point as we talk about our budget.

But with that, let me turn it over to Secretary Daley to talk
about the report.

SECRETARY DALEY: Thank you very much, John. As you said, no
question, we have a new economy and we have an economy that is
much more dependent, as we enter this next century, on information
technologies. So our defending of this economy is most important
to us, especially at a time of great economic boom that we're
experiencing.

One of the consequences of leading this e-world is that we, as
I mentioned, are more dependent on information technologies in our
country, and therefore we're more subject to new and different
kinds of threats. It is true for our services as governments, and
it is also true for the private sector, whether they are large
companies or small companies. In our opinion, businesses risk
going out of business if their computer networks are obviously
disrupted for any great length of time.

This is the first time in American history that we in the
federal government, alone, cannot protect our infrastructure. We
can't hire an army or a police force that's large enough to
protect all of America's cell phones or pagers or computer
networks -- not when 95 percent of these infrastructures are owned
and operated by the private sector.

We just spent, as we all know, about $100 billion as a nation,
private sector and the public sector, in correcting the Y2K
problem. If people had thought about this 25 years ago, we may not
have had the situation where we would have had to spend so much.
Y2K taught us many things. One is that we must be prepared. So the
President and the Vice President asked us to develop a national
plan to defend America's cyberspace. Twenty-two federal agencies
have worked on this. It is the first attempt by any nation to do
something like this.

Today we have our first version. As you can see, it is
designated version 1.0. (Laughter.) It focuses on what we in the
federal government can do to protect our federal assets. But for
this to be a true national plan, later versions must include, and
will include, what the private sector, and also the state and
local governments, can do.

Last month, I met with industry leaders, and we are already in
the process of building a true partnership with them. Cooperation,
rather than new regulations, will bring more resources to the
table, and we will therefore have the opportunity to produce
results faster. That is the political reality, and in our opinion,
one of the greatest challenges that government faces in this
century is, how do we deliver services more effectively. In
dealing with the private sector, we can learn a lot from them. By
partnering and sharing information, we can improve our own
efforts, and also work with them to make their systems, and ours,
more secure.

The end result is that we will all, therefore -- and our
economy will be better off. The American people can read this
report on our website by the end of today, on the White House's
website, and also on the NSC website. And if any of you would like
a copy for your own files, we'd be happy to supply them for
you.

And it's my pleasure at this point -- there are a number of
universities who are looking and are forward-leaning. About eight
universities are developing curriculums in cybersecurity. One of
them is James Madison University, and it is a pleasure to
introduce Lin Rose, the President of James Madison.

MR. ROSE: Thank you. Good morning. As president of an
institution that, several years ago, recognized the need for
information security education, I'm particularly encouraged by
today's news. As a nation, we do face a critical need for
information assurance experts. Our economic growth has been fueled
by our leadership in information technology, and we have become
more dependent upon computing and electronic networks than any
other country in the world.

That distinction also makes us more vulnerable than any other
country in the world. Our information systems, if not carefully
protected, may be accessed by those whose intentions are much more
serious than just mischief. Dependence upon electronic data
systems is no longer unique to computing and telecommunications
alone. Power generation, banking and finance, transportation,
water supply and emergency services are all dependent upon
information systems and are susceptible to disruption by hackers
and criminals.

To protect these systems, we must have more information
assurance people -- people who have the talent and expertise to
evaluate system vulnerabilities, who understand encryption
methodologies to protect critical data, and who are able to design
trusted systems and provide for intruder monitoring and
detection.

Higher education is the key to providing more of these
professionals. Universities have begun to address this work force
need, but if we are to accelerate the numbers of competent
professionals at the rate that is required, federal support for
faculty development and student assistance is essential.

The standard academic mechanisms and processes are too slow to
satisfy the current and projected demand in a reasonable amount of
time. Without external stimulus and support, we will simply fail
to protect our country's information infrastructure. Like most new
professional programs, much of the activity and information
security has been focused at the graduate level.

For example, with the support and encouragement of Virginia
Senators Warner and Robb, as well as Congressman Goodlatte, at
James Madison University we now offer a master's degree in
information security. That program, intended for working
professionals, is the only degree program in the country provided
to students via the Internet. Approximately one-half of the
students are from government, while the remaining participants
come from business and industry. Programs such as this one must be
expanded.

It is imperative, however, that we develop undergraduate
programs that will prepare information security specialists. The
cyber-service model advanced in the President's plan will provide
incentives to attract students in greater numbers. The
cyber-service will also attract the interest of colleges and
universities who are wrestling with the numerous curricular
opportunities available to them in technology-related fields.

In short, this program, once fully implemented, will produce
the desired results. Eight institutions, designated by the
National Security Agency as centers of excellence in information
security education, have been working with the administration over
the last 18 months to examine methods for expanding informations
security education. With the announcement of this plan, others
will be certain to join in a national effort to advance and
address this critical work force shortage.

The consortium of these eight universities, along with the
National Colloquium for Information Systems Security Education,
which includes representatives from government, business and
education, will continue to build the necessary curriculum,
promote awareness of security issues, conduct research, establish
competency standards and develop an information clearinghouse, as
well as generally promoting the profession. The support provided
through this plan will reinforce and enhance the effort.

By empowering higher education to be part of the solution to
the national information security problem, the President has set
forth a plan that will provide the nation and its citizens with
the assurance that our businesses, our government and our personal
interests are secure and protected. Thank you.

Q Mr. Podesta, would you mind going over those figures again,
as to what the President is asking for, and the increase that is,
and what the breakdown is?

MR. PODESTA: Dick, you want to join us?

Q Gene.Randall didn't get that. (Laughter.)

MR. PODESTA: There is a 17 percent increase in funding in the
proposed FY 2001 budget. Proposed spending across the government
will increase to $2.0 billion, from -- the Congress appropriated
last year $1.75 billion, based on a request from the
administration of $1.77 billion. So they actually did -- we were
successful in achieving most of what we requested in total dollar
amounts. But we're asking now for a 17 percent increase in that
amount to a total of approximately 2.03, I think is the accurate
number.

Do you want to give a little bit more on the breakdown,
Dick?

MR. CLARKE: Sure. We have these nice color charts to pass out;
if you haven't already received them, we'll get them to you. As
John said, it's a 17 percent increase that we're asking for in
2001 over the appropriated money from 2000. There was a similar
request, similar increase last year. So the compounded effect of
that over the last two years is considerable.

The largest increase in the percentage basis is for research
and development. The President, as he said, is proposing an
institute for information infrastructure protection. This is a
research organization that will work closely with the private
sector. It's not a building, it's not a new bureaucracy, it's a
funding mechanism so that the federal government can match private
sector funds and plug the holes in the R&D requirements.
R&D will rise the President's plan from $461 million last year
to $621 million in the year 2001.

Q Secretary Daley, this cyber-security version of the G.I. Bill
that the President talked about this morning, what would be the
required service, postgraduate, and in what agencies would these
people find employment?

SECRETARY DALEY: I don't think we've worked out the details as
to the length of service that would be required. We obviously want
to work with the institutions and work with the federal agencies
as to what sort of length of service they thought would be
appropriate.

Q Are you talking about two years, three years, four years?
It's four years in the G.I. Bill, isn't it?

MR. CLARKE: Yes. The typical federal requirement is a year of
service for every year -- a year of service for every year of
scholarship. So if, for example, someone had a four-year
undergraduate program at James Madison or somewhere else, we would
expect them to do four years of service in the federal government,
in any federal department that wanted them, helping that federal
department to protect its own computer systems. So these are IT
security managers that would help the federal government improve
security on federal computers.

Q Do you know what the job designation would be, in terms of
federal pay scale?

MR. CLARKE: Well, one of the things that the Office of
Personnel Management is looking at --

Q For example, will they make more money than Mr. Leavy or --
(laughter.)

MR. CLARKE: That's not hard. That's not hard.

One of the things that OPM, the Office of Personnel Management,
is looking at is whether or not we have to abandon the normal
federal grades -- GS7, GS8, GS9. For example, if you graduate now
with a bachelor's of science in computer information, typically
you would become a GS7. Now, that's going to earn somewhere in the
area of $28,000 to $30,000. That same person, with that same
degree, can go out to the Dulles access road or Silicon Valley,
and earn $90,000 to $120,000. So we have to look seriously, and
OPM is going to look seriously, at adjusting the grade structure.
So we might not use the normal federal grade structure to pay IT
security workers.

Q What's the biggest threat that you're trying to guard
against? Is it hackers and vandalism? Is it criminals? Or is it
domestic or foreign terrorism?

MR. CLARKE: I think it's all of the above. There's a spectrum,
from the teenage hacker who sort of joy rides through cyberspace,
up through industrial espionage, up through fraud and theft. And
up at the far end of the spectrum, to another country using
information warfare against our infrastructure.

Q Mr. Podesta, or Secretary Daley, is the catalyst for this the
situation that happened with the White House computer last year,
and several infiltration situations with some of the federal
government computers last year, as well?

MR. PODESTA: Well, I wouldn't describe that as the catalyst for
this. I think we've been working on this for some time, and have
-- as I think Dick noted, this has been going on in a kind of
serious formulation as a policy for several years, and precedes
the situation, which was resolved -- with the hacker at the White
House -- with an arrest, that occurred last year.

But I think that, obviously, every agency, every department of
government, but every private sector institution that's relying on
the information infrastructure. It's not just computers; it's the
electric power grid, it's the other things that we learned so much
about during our run-up to Y2K. The banking, financial industry --
increasingly every single sector of the economy is tied in, linked
through e-commerce, through the use of computer technology, to
this kind of critical infrastructure which has developed over the
course of the '70s, '80s and '90s.

And so I think that it's a high national security priority, to
begin to protect all of the infrastructure, not just the federal
government infrastructure. And that's why we're excited about
having a partnership with the university community and the private
sector.

SECRETARY DALEY: Let me just add, what the White House
experienced, I would imagine every agency in the government, we
have experienced, from harmless, seemingly harmless invasions, to
others that gave us great concern. So what happened here was
replicated, I would assume, in every department.

Q A follow-up: how vulnerable are the systems right now?

SECRETARY DALEY: Well, we believe they're much better. I speak
for our agency, and obviously this program that we've put out with
the 22 agencies, believe that our federal program right now in
protecting our systems and our assets, is much better than
obviously we were before we went through this process.

Q Secretary Daley, just to follow up on some of the questions
here, can you give us -- what are some credible scenarios for the
type of thing that you're trying to prevent here? We all know
about the teenage hacker, or the cyber-vandal. But can you give us
some scenarios for the more elaborate types of problems --

SECRETARY DALEY: Well, remember when there was that -- when was
that lightning strike in Florida that hit the system, that
basically knocked out --

MR. CLARKE: Two years ago.

SECRETARY DALEY: Two years ago -- knocked out most of the East
Coast, much of the grid along the East Coast. That was obviously
an act of nature. No one, at that point, understood how everything
was connected along the East Coast, and would be so affected for a
couple of hours. And that, I think, woke up not only some of us in
government, but surely affected the private sector's attitude
about a better understanding of the interconnection and our
involvement in trying to address this. It will not be solved,
though, without partnership.

Q Okay, you mentioned foreign governments. And to what extent
do foreign governments have the capability to engage in this kind
of disruption? And are you looking at disruptions on the part of
foreign governments to private sector operations, or just the
government?

MR. CLARKE: We are aware, now, over the course of the last two
years, that several other nations have developed offensive
information warfare units, organizations, tactics, doctrine and
capability. Now, that doesn't mean they're going to use them. But
it means that they're developing them, they're getting better all
the time.

And in a crisis, historically, nations have attacked each
other's infrastructure. Nations have gone after, in warfare
situations or crisis situations, electric power grids,
telecommunications, transportation networks. So it's not
inconceivable to have a scenario in the future in which a future
opponent might think that they could attack our civilian,
privately-owned infrastructure through computer attack.

Q Can you say which countries those are?

Q And do we have such an offensive capability ourselves?

MR. CLARKE: You'd have to ask the Defense Department about
that. And, no, we're not going to name names of other
countries.

Q Why not? I mean, what's the big secret?

Q Why shouldn't you tell us?

Q The President kicked off this initiative almost two years
ago. And I know that you had a May '99 deadline, or a self-set May
'99 deadline for putting out this report. What's taking so long?
And why isn't the physical protection included in this, because as
you have just said, you can just as easily take down critical
infrastructures with physical attacks.

MR. CLARKE: We had a May 1999 self-imposed deadline. We decided
not to meet that deadline; but, rather, to take the time to get it
right; to take the time to do the sort of consultation that we
have done with the Congress, and with the private sector.
Secretary Daley mentioned that last month he met with 94 companies
in New York as part of that consultative process. As John Podesta
said, this is version 1.0. There are going to be other versions as
the dialogue continues with the Congress and with the private
sector.

Q It's my understanding as well that the NIAC hasn't stood up
yet? You don't have a lead for that? Is that true?

MR. CLARKE: The President has signed an executive order to
create a National Infrastructure Advisory Committee, and we are in
the process now of doing the personnel selection for that advisory
committee.

Q Gentlemen, there is a real revolution in the way computers
are being used now. Fifteen years ago, it was mainly a business
application. Now, they're in all parts of the home, and the talk
is, within a few years we're going to have IP appliances in
people's homes. Shouldn't you be focusing more effort not just on
the private sector but, in fact, on the general public? And why
does part of this report still suggest that much of this
information will be precluded from reaching the general
public?

MR. CLARKE: I don't think the report at all suggests that
information is going to be denied to the general public. What
we're looking at in terms of prioritizing our activities are the
things which would have the greatest effect on the greatest number
of people. And so, if there were a computer attack on a power
grid, that would have a great effect on millions of people. It's
certainly true that individual computers, your PC at home could be
hacked, but chances are no one is going to do that. The real
threat is to the larger infrastructures and not to an individual
home.

Q John, if I could ask you another unrelated question.
Republicans yesterday apparently proposed a package of smaller
targeted tax cuts, including the marriage penalty. Is this the
kind of tax cut the administration could work with the Republicans
on, and do you guys have a position on the marriage penalty
tax?

MR. PODESTA: Well, I'd like to think that the Republican
leadership spent some of the time since the break in November
listening to their constituents, and have gotten on a program more
similar to the President's which is to address the critical needs
of the country -- Social Security, Medicare, education, and the
other priorities, and come up with a tax cut that fits within an
overall framework of fiscal discipline. They put out some numbers
yesterday that were obviously much more consistent with what the
President was talking about over the course of the last year than
the risky tax scheme they put forward and was rejected by the
President, vetoed by the President, and rejected by the American
people.

But I think we need to see the whole plan, and to try to --
hopefully we can find some consensus, work together, to do those
critical priorities -- to address Social Security, to address
Medicare, to make the important investments that we've talked
about. And, as we have said, we think there's room within the
overall context of the surplus to find some targeted tax cuts that
will be aimed at the middle class, that will not be loaded up in
favor of the wealthiest Americans, but that are spread and aimed
at addressing critical priorities.

With respect to the marriage penalty, I think we've said that
within the context of tax relief, that we're open to discussions
about tax relief in that area. But it's got to be part of an
overall program that's fiscally disciplined, and that aims at our
key priorities. And, obviously, we want to aim our tax cuts at the
middle class, and the President's budget, which he will put
forward in the next month or so, will aim to do that.

Q Dick, for those of us who still sort of cling to the old
technology because it never gives you a fatal exception error, how
much distance is it in bridging security between hacking a website
and actually getting into the infrastructure and turning things
off?

MR. CLARKE: The same techniques that people use to find
vulnerabilities or back-doors into websites can be used to hack
your way into computer-controlled networks. Things like the power
grid and railroads and whatnot, telecommunications, are
computer-controlled networks. And many of the same principles of
finding vulnerabilities and hacking your way into a website are
applied in hacking your way into a computer-controlled
network.

Q How much extra distance is there?

MR. CLARKE: Not much.

MR. LEAVY: I'm sorry, last question.

Q Oh, a question about the Fidnet portion that was very
controversial with civil liberties groups. And how big is the
Fidnet to this whole plan? Is it a central part, or a small
piece?

MR. CLARKE: We think the federal government has a positive
obligation to protect the privacy information, and other
information on federal government computer systems. Just as your
files, the files about you in the IRS or elsewhere in the
government, are in a file drawer with a lock on it, and there's a
burglar alarm protecting that office in physical space, so we
think there should be a burglar alarm and a lock on files the
federal government has in cyberspace. The federal intrusion
detection network that we propose is just that. It's a burglar
alarm for federal files in cyberspace. It, in no way, will intrude
onto private computer systems -- private sector computer systems.
It's only a government protection system for government sites.
It's designed to protect privacy and enhance privacy.